Banner Iklan

Banner Iklan

PACKET ATTACKS - VERSION 1.1

Let me start by saying the internet is full of wonderful tools and papers like this one. Alot of these things can help youincrease your knowledge, perhaps your job or more. But just as easily as you can learn from them, people read into them tomuch and decide to harm other peoples work for no apparent reason. Let it be known that is in no way the purpose of thispaper. A true hacker is one who strives to attain the answers for themselves through curiosity. Its the path we take tothose answers that makes us hackers, not destruction of other peoples work. So with that said, please enjoy my work, as Ihave enjoyed writing it.

The flow of data has always captured my interest. Just how does it work, how can we dissect it and use it to our advantage.Well I have spent a long time studying all of this, and that is why I wrote this paper. It's a collection of run on sentences on different packet attacks and how they work. Now we all know you can learn all you ever wanted to know about thespecifications of a protocol by reading its 30 page RFC document. But that is the protocol according to design, in the wildits a different story all together. 'Packet Attacks' covers everything from basic DOS attacks to TCP/IP hijacking. Hence thename "Packet Attacks". This paper also focuses not just on attacks but practical ways to prevent such attacks and ideas onnew methods to help us stop them and secure our networks.

---Chapter 3.--- Section a. The future of TCP/IP as a means of using IPv6

---Chapter 4. --- Section a. New security application / protocol

-----Introduction.

Well I assume most of you reading this paper already have a good understanding of TCP/IP and how it works so I wont get tomuch into detail on that, but I will scrape the surface on the parts we NEED to discuss. The internet is a MASSIVE web ofmachines all connected to one another through a series of hardware devices known as routers, switches, hubs, bridges andlots more. All of these devices (although some are smarter then others) push along packets. Our operating systems andapplications craft these packets in order to send data to one another over the wire. Each packet, although varying in size,carries a small bit of data to and from one host to another. Each packet must also carry its own personal information suchas where it came from and where its headed. Of course there is a lot more to a packet then just this information. But as faras attacks go this is the crucial information we need to look at. Now there are many many different types of protocols thatcraft many different types of packets. And they are all read differently when they are received at the other end. Where asan ARP packet may tell a host who has this MAC address on this subnet, a TCP packet might transfer the last few bits in thatMP3 your downloading. Regardless the data, all of these packets use the same wire to move to and from locations. I couldn'tpossibly discuss every protocol and packet structure in this one paper. The average end user takes for granted all of thisrunning in the background while they surf the net. Most people dont understand the complexity of this internet we are all sofamiliar with, the chat rooms etc. But there are people who do, and there are people who take advantage of that. Reverseengineering has led to the creation of attacks using the basic fundamentals these protocols rely on. And since TCP/IP is soembedded in our infrastructure we must adapt and learn to defend each new attack.

OSI MODEL

Open Systems Interconnection model, is a seven layered networking design. Its an industry standard that defines exactly howdata is transffered between protocol to protocol. Not every protocol follows the OSI model exactly and some do. TCP theinternets main mode of data transport does not follow it exactly. Let me take you through a brief over view of the OSI model.

Layer Seven : Application LayerThis layer is obviously application specific, it provides everything from authentication to email to ftp and telnet, thelist goes on. Its specifically for end user processes, what we input into our applications we can see on our screens.

Layer Six : Presentation LayerThis layer changes and possibly encrypts the data so that the application layer can understand it. (you will understand whatthis means in a few minutes)

Layer Five : Session LayerThink of this layer as Establishment, Control and Termination of the sessions formed by theapplication(client) to a remote host(server).

Layer Four : Transport LayerThis layer is responsible for the invisible transfer of data between host to host. It is there to ensure all data transfergoes accordingly. The protocols used are, UDP and TCP.

Layer Three : Network LayerThis layer is for error correction, packet sequencing, and for transmitting data from node to node. Addressing is alsoanother function of this layer in inter-networking.

Layer Two : Data Link LayerThis layer decodes and encodes packets into bits so they are ready for the physical layer. It also handles error correctionin the physical layer. This layer is also divided into two different sub-layers. The LLC (logical link control) and MAC(media access control) sub layers. The LLC sub layer provides control for frame synchronization and error checking. The MACsub layer controls how a computer on your network has access to data.

Layer One : Physical LayerThis layer is the actual movement of the data. Using electrical impulse or some other form of data movement is pushes thebit stream towards the other host. This layer is the hardware level, the ethernet card, the wire etc. There are manyprotocols within this layer.

You may ask yourself why I listed these from 7 to 1. Well I did to show you how the OSI model really works. Layer Sevenreally comes first, the end user types something into his instant messenger (for example) and the data flows down throughthe OSI model being encapsulated and changed at every level it has to be changed or corrected at. The data travels the wireand at the other end it moves back up the OSI model all the way back up to layer seven where the other host can read it inthe original form it was sent. So theres a VERY basic understanding of the OSI model and how it works to transmit data fromhost to host. There is alot more protocols and parts to the OSI model but this basic representation should provide a firmunderstanding.

To understand all of this more in depth please get your hands on a few RFC (request for comment) documents and start reading.Because it will take you a very long time to understand exactly how TCP/IP works. If your very knowledgeable in the wayTCP/IP works then this paper should make alot of sense to you, perhaps even bore you! :( On the other hand if you dontunderstand TCP/IP as well as you would like to, you still might get something out of this. I try and explain all of thetechnical writing as easily as I can. Feel free to email me if you have a question or comment. Thanks :)Data_Clast

The most common attack on the internet today is a denial of service attack. There are many programs on the internet todaythat will assist anyone in crafting one of these attacks. The sad part is for as easy as they are to make their power can bedestructive when used properly. No matter what kind of packet attack it may be most are based on the same principal, volume.Thousand and thousands of spoofed packets will eat up network resources within minutes, choking and essentially 'killing'any network. There are many types of packet attacks. Some are more sophisticated then others. I will also talk about TCP/IPhijacking and your typical port and vulnerability scans among other things.

Why do people launch these attacks? How are they launched? How do they exactly (technically speaking) 'choke a network'?!Hold tight im getting to that. The lower end of these attacks are usually launched by what the hacker community calls ascript kiddie. You see a hacker isnt a mindless web defacing juvenile (please see the mentors manifesto). A hacker is aperson of true intellect and would never craft such an attack for no reason. But these lower end attacks are usuallylaunched at peoples individual machines. Their IP address's may come from an IRC chat room, yahoo messenger, AOL, ICQ, orwhatever other messenger you might use. Although not as sophisticated, these 'lower end' attacks can still knock anindividual machine offline in minutes. The slightly more advanced attacks may be aimed at a business competitor in order toslow their sales or disrupt their outgoing internet connection. Whatever the reason may be they are usually launched for areason. Attacking a box for no reason is typically useless and will only take up your own bandwidth.

The more sophisticated attacks are aimed at government and root points of the internet. Such as the attacks on the root DNSservers in October of 2002. These attacks were sophisticated in the way they were crafted. The attacks lasted for over anhour and successfully took out a few of the servers. If the attack had lasted just a few more minutes who knows the damageit could have caused. The possibility of the authorities solving these attacks and apprehending the offenders is slim tonone because they are created and launched by skilled malicious individuals. They were also distributed denial of serviceattacks. Which means the 'zombie' machines that attacked the servers were spread out all over the world. We will touch moreon that later though.

Section b.

You will learn more about how these individual attacks are crafted and how they work later in this paper but this issmall introduction so you can get a vague idea. Creating spoofed packets requires an open socket. This socket binds to anIP and a port and allows you to inject a packet onto the wire or accept any incoming packets to that IP and port. *NIXopenly supports open socket programming (many tutorials on this type of programming). Which means you can code programs thatcreate packets and then inject them into the network with ease. An example of this would be a program called "SENDIP" whichallows you to create custom packets, and it supports many protocols (another good program is nemesis). I have written a fewtutorials using SENDIP, I think its a great program for both advanced and new network engineers to use. It will help youlearn about packet structure and the different protocols it supports. Microsoft is not an open source company, which prettymuch makes it even harder to find help in creating these sorts of programs for Windows. But it is possible to craft theseattacks from within a Windows environment. Its referred to 'Winsock' programming. Infact most of these DDOS attacks arebecause of vulnerable Windows boxes out on the net. They are sitting ducks for trojan horses and other programs that craftthese attacks on servers when commanded from a client program to do so. Most end users do not understand security and howeasy it is to break into someones home computer, so they lack firewalls and virus scanners. This leads to many zombiemachines available to hackers disposal on the net. All one has to do is scan a class C subnet for open trojan ports andhack their way into those trojans and use them as a backdoor, another zombie is created for attacking remote targets. Almostevery program that interacts with TCP/IP generates packets to and from places, this is valid traffic. As you read you willdistinguish the difference between valid and non valid, as it easy pretty easy to understand what I am explaining when I say"attack". When creating an open socket and crafting spoofed packets these programs tell the kernel they are going toconstruct their own IP headers. Usually this information is put on by the kernel before exiting the machine. But in thisinstance we are telling the kernel we want to specify our own information. Not all operating systems will allow this. Andno I dont have a detailed list of which do and which dont. Most of the experiments I have conducted on my network useddifferent versions of RedHat Linux, Mandrake Linux, and Windows XP.

Chapter 2.

Section a.

There are several different types of packet attacks. Theres the simple brute flood of ICMP packets which floods a networkand eats up all the available bandwidth. And then there are more sophisticated attacks like the Smurf or SYN/ACK attack.All of these attacks target different things. While the SMURF attack may target the general network its attacking, theSYN/ACK attack targets a specific host or service running on a host. We also must take into consideration when a target isattacked it may not be the only machine affected. There are many routers and other boxes transfering the data between pointA and point B. Other peoples legitimate data is flowing between them, and may be disrupted by the packet flood. Even a topof the line router can only handle so much data. And unfortunately it is very easy to attain soure code for these attacksall over the web. Lets take a more detailed look at each attack.

ICMP brute flood attack.

ICMP works on top of TCP. The ICMP protocol is simple yet very effective. Its used for error correcting and testing networkconnectivity. Your average PING program uses ICMP packets to test network connectivity. By sending a small amount ofarbitrary data in an ECHO_REQUEST packet it waits for a reply from the target host, simple right? A typical ICMP packet iscalled an ECHO_REQUEST. You send 4 or 5 of these at a target machine and when it arrives there it requests an ECHO_REPLY.Thats when everything is done according to design. If you want more info on an ICMP packet and how it works then read mytutorial on that!http://www.theory-x.org/dataclast/_content/MPS.txt

In this attack the source IP address is spoofed. So now hundreds, thousands of ECHO_REQUEST packets rush towards theirdestination. They reach point B, request an ECHO_REPLY for every ECHO_REQUEST sent. Point B says OK, reads the source IP.The source IP ends up being unreachable. But point B is waiting a small amount of time (milliseconds) to determine that forevery packet thats hitting it. It will be a few more moments before the process relinquishes this small bit of memory backto the system. This adds up to a great deal of packets and memory allocation building up. Now if these packets are comingfrom multiple source zombies (DDOS) then this means there each coming from different routes. So even if one ISP stops oneattack, there are still many more zombie machines attacking the victim. All of this is eating up time and bandwidth, becausewith every millisecond that passes more and more bandwidth is being taken up. Eventually point B can no longer keep up withthe ECHO_REQUESTS and his connection is completely flooded and of no use. On an unprotected system or router this attackcan be very consuming. This attack is also sometimes referred to a bandwidth attack. Even if the target is running anadvanced firewall it cannot protect the wire it connected to from being flooded with packets. There have been changes inthis attack as well. On the net there are what we call amplifiers. On every network there are the network and subnetaddresses. In many default configurations when you ping either one of these addresses they multiply the echo requests by 4or more. So a zombie would attack a vulnerable network (.0) or subnet address (.255) with a spoofed source IP, being thevictims real IP. So even tho the traffic becomes valid as far as IP addresses go. The victim gets bombarded with massiveECHO_REPLY packets. You will see more of this description in other attacks, as it works for some of those to.

(first part is repeat from ICMP attack) There have been changes in the ICMP attack. On the net there are what we callamplifiers. On every network there are the network and subnet addresses. In many default configurations when you ping eitherone of these addresses they multiply the echo requests by 4 or more. So a zombie would attack a vulnerable network (.0) orsubnet address (.255) with a spoofed source IP, being the victims real IP. So even tho the traffic becomes valid as far asIP addresses go. The victim gets bombarded with massive ECHO_REPLY packets. You will see more of this description in otherattacks, as it works for those to.

You can try this attack on your home network by simply opening a packet sniffer on each machine that is on. Pick a machine,any machine and ping your broadcast address. Mine is 192.168.0.255 Immediately you see each machine receiving a broadcastpacket. Now imagine its several hundred and each one has a spoofed source IP address. Its a brute ICMP attack on a massivescale, this possibilities to this attack are endless. You could easily implement this attack in anyway you chose. You couldspoof the victims real IP as your source IP and create massive volumes of legit ECHO_REPLY packets. Even though its validtraffic, its 4x or more times the normal load of valid traffic. This consumes the connection and valid traffic cant pass,or passes so slowly it makes no difference to the end user.

The SYN/ACK attack is a very powerful attack. SYN/ACK packets are also used in TCP hijacking, and the TCP/IP three wayhandshake. When an application wants to connect with a server somewhere over the net via a TCP connection (connection vsconnectionless data transfer (UDP)) it first sends a SYN packet. The SYN packet tells the target machine he wants to makea connection on a certain specified port, and then send data. When the target machine read the SYN packet it replies tothe original host with a SYN packet of his own and an ACK (acknowledgement) packet with sequence and ack numbers. These SEQand ACK numbers are used to synchronize the data transfer, incase one or two packets gets lost or slowed down along itsroute, it can be assembled again in the correct order. The orignal machine replies again with another SYN ACK packetcombination acknowledging the sequencing numbers and then it starts to send data. When it creates this connection a tinypiece of memory is allocated to hold the connection while the packets are in route. Now a SYN/ACK attack would consist ofspoofing the source IP address on the original SYN packet. The target receives the request for a connection, reads thespoofed source IP and tries to send its own SYN and ACK packet to a destination that does not exist. Most operating systemswill continue to send SYN/ACK packets if they dont receive a reply as a method of error correction and guaranteed datadelivery. Just like in the ICMP attack the machine has to wait a few milliseconds before abandoning all hope of reachingthe machine. So these tiny allocated spaces of memory are building up with every spoofed packet that arrives at the target.This attack is very powerful and can disable a service running on the target machine in a matter of minutes. Not to mentionall the available bandwidth is eaten with thousands and thousands of spoofed packets. So there is the SYN/ACK attack in abrief description.

[zombie machine] --> SYN packet (source IP 1.1.1.1, port = 23 telnet) (seq = 100) --> [target][??????????????] As you can see from the simple drawing above the target machine has no idea who is sending the SYN packets and the telnetserver he is running on port 23 would most likely crash. At best the telnet daemon would not allow any other legitimatetraffic through, as it could not gather enough resources (memory, bandwidth) to make the connection due to all the spoofedpackets.

Another use of this attack is to disconnect a user from their current TCP session. By spoofing SYN/ACK packets to a servera client is currently using. An attacker would place a "FIN" flag in the packets, this tells the server the client is donesending data. Client uses his connection and attacker walks away undetected, because it only took one packet to accomplishthis.

UDP attack

UDP is a protocol that is used to transfer data. Short for USER DATAGRAM PROTOCOL. UDP offers very little error correctionand is used as an alternative means for data transfer. It doesn't require the 3 way handshake such as the SYN/ACK method,so its initial attack may not take down a remote daemon as quickly. UDP is generally used to broadcast messages over anetwork. A UDP attack would consist of spoofing the source IP addresses and specifying a port number like in the SYN attackabove. UDP packets are generally large because they are usually used on closed 100mb subnets (LANS). So an attack would setflags in the packets and fragment them (break them up and flag where in the packet they broke, so they can be reassembledon the receiving end). For example in Windows 2000 there was a remote UDP DOS exploit that used the IKE service running onport 500. All an attacker had to do was connect to port 500 on a random machine with that port open. Start sending massiveUDP packets (above 500 bytes) to that service and the CPU usage would hit 99% and the machine would lock up. The typicalports that accept UDP packets are 7, 13, 19 and 37 on a Windows box.

DNS attack

The DNS attack is a special one. Not as easily crafted as the others, there arent that many tools readily available to theaverage script kiddie to construct such an attack. The DNS protocol is used for name resolution, 216.239.35.100 = google.com,simple as that? Well not really. A DNS attack is based on the fact that a DNS query takes very little data and bandwidth tocreate, but a DNS response is much bigger. So this is how a DNS attack would look like.

As you can see the attack is sort of relayed from a legitimate DNS server. Although the DNS response packets are 'legit'there is a massive flood of them because the DNS server that is sending them is a very good machine on a very goodconnection. The end user, most likely a home pc, gets flooded with these huge DNS response packets it never asked for.

ARP attack

The arp attack is a special one, it can be used to 'hijack' a tcp connection currently in session or it can be used tosniff the legitimate traffic on a wire other then your own. Which is a very dangerous thing in the information world welive in today. There are a few methods of this attack. Lets say person1, attacker, and server are all on the same subnet.Person1 and server currently have an FTP session open. Attacker sends both server and person1 an ARP packet containing aninvalid MAC address. Now both of their arp tables are messed up for atleast 30 seconds. Server and person1 cant find thatinvalid MAC address so they send their data to the IP its associated with, the attacker. So in this case the attacker has asniffer setup and hes collecting a ton of data. Now the attacker (an advanced one at that) can issue commands as person1 tothe server. This attack takes timing and skill to pull off on the internet, but on a LAN its very easy. It only allows formaybe 30 or so seconds of sniffing, until their arp table is constructed properly again.

DRDOS attack

A DRDOS attack uses a little of other attacks to inflict damage. This attack spoofs the source IP address of SYN packetsto the IP of the victim. It requires a third party. This is the part of the attack that makes it so easy. All it needs issome ftp, webserver, telnet.. ANY service that will reply with an ACK packet, anywhere on the internet. Could be angelfiresfree ftp servers, could be your neighbors web server running off his 233mhz compaq with IIS 4.0. It doesn't matter! The SYNpackets are sent to that services IP address and they of course reply with a steady stream of SYN/ACK packets to the victim.Most likely directed towards an open port on the victims machine, crashing that service and the system. These attacks arenear impossible to track down. This attack is quite possibly the strongest DOS attack in my opinion. For every SYN packetyou send the middle man, it sends out up to 4 SYN/ACK combinations to the victim. And each time the victim doesn't respondthe middle man sends even more (error correction). This allows the attacker to contruct a massive attack from just onemachine with a broadband connection. There are more dangers to this attack as well, there are hundreds of thousands of FTP,webservers and many more services running on the net today that will deflect these SYN/ACK packets at the victim. So intheory this attack could use any number of 'middle man' servers to bombard your network with packets.